Responsible disclosure policy

Last updated: June 11, 2026 · security.txt

Lawenots welcomes good-faith security research on our infrastructure and public web properties. This policy describes how to report vulnerabilities, what is in scope, and what you can expect from us.

How to report

Email security@lawenots.com with:

• A clear description of the vulnerability and impact
• Steps to reproduce (proof of concept or screenshots)
• Affected URLs or API endpoints
• Your preferred contact for follow-up

Encrypt sensitive details if needed — request our PGP key in your initial message.

In scope

• www.lawenots.com and subpaths (static site, SENTINEL APIs)
• /api/contact and /api/sentinel/* serverless routes
• Authentication bypass, injection, SSRF, and privilege escalation on the above

Out of scope

• Third-party services (Vercel, Web3Forms, Flomisma portal)
• Social engineering, physical access, or denial-of-service attacks
• Scanning assets you do not own without written permission
• Issues in client-hosted properties Lawenots does not operate

Safe harbor

We will not pursue legal action against researchers who:

• Follow this policy and give us reasonable time to remediate before public disclosure
• Avoid privacy violations, data destruction, or service disruption
• Do not access data beyond what is necessary to demonstrate the issue

Response timeline

• 72 hours — acknowledgment of receipt
• 14 days — initial severity assessment and remediation plan
• 90 days — target fix for confirmed issues (critical issues prioritized)

Acknowledgments

We credit researchers who report valid, in-scope issues with permission. No paid bug bounty program at this time.